Welcome to the Open Source Puppet Sudo Users Quick Start Guide. This document provides instructions for getting started managing sudo privileges across your Puppet deployment, using a module from the Puppet Forge in conjunction with a simple module you will write.

In most cases, managing sudo on your agents involves controlling which users have access to elevated privileges. Using this guide, you will learn how to do the following tasks:

Note: You can add the sudo and privileges classes to as many agents as needed, although we describe only one for ease of explanation.

Install the saz-sudo module

The saz-sudo module, available on the Puppet Forge, is one of many modules written by a member of the Puppet user community. You can learn more about the module by visiting http://forge.puppetlabs.com/saz/sudo.

To install the saz-sudo module:

As the root user on the Puppet master, run puppet module install saz-sudo.

You should see output similar to the following:

Preparing to install into /etc/puppetlabs/code/environments/production/modules …

Write the privileges class

Some modules can be large, complex, and require a significant amount of trial and error as you create them, while others often work right out of the box. This module will be a very simple module to write. It contains just one class.

A quick note about modules directories

By default, Puppet keeps modules in an environment’s modulepath, which for the production environment defaults to /etc/puppetlabs/code/environments/production/modules. This includes modules that Puppet installs, those that you download from the Forge, and those you write yourself.

Note: Puppet also creates another module directory: /opt/puppetlabs/puppet/modules. Don’t modify or add anything in this directory, including modules of your own.

That’s it! You’ve written a module that contains a class that, once applied, ensures that your agents have the correct sudo privileges set for the root user and the “admins” and “wheel” groups.

Note the following about the resource in the privileges class:

The sudo::conf ‘admins’ line creates a sudoers rule to ensure that members of the admins group have the ability to run any command using sudo. This resource creates configuration fragment file to define this rule in /etc/sudoers.d/. It will be called something like 10_admins.

Add the privileges and sudo classes

From the command line on the Puppet master, navigate to the main manifest: cd /etc/puppetlabs/code/environments/production/manifests.

Open site.pp with your text editor and add the following Puppet code to the default node:

From the command line on your Puppet master, run puppet parser validate site.pp to ensure that there are no errors. The parser will return nothing if there are no errors.

From the command line on your Puppet agent, run puppet agent -t to trigger a Puppet run.

That’s it! You have successfully installed the Sudo module and applied privileges and classes to it.

Note the following about your new resources in the site.pp file:

sudo::conf ‘web’: Creates a sudoers rule to ensure that members of the web group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/.

sudo::conf ‘admins’: Creates a sudoers rule to ensure that members of the admins group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/. It will be called something like 10_admins.

sudo::conf ‘jargyle’: Creates a sudoers rule to ensure that the user jargyle has the ability to run any command using sudo. This resource creates a configuration fragment to define this rule in /etc/sudoers.d/. It will be called something like 60_jargyle.

From the command line on the Puppet agent, run sudo -l -U jargyle to confirm it worked. The results should resemble the following: